Use this procedure to install an ASA FirePOWER module on an ASA. This procedure assumes that the ASA is already installed, configured, and running on a supported appliance and that you have reviewed all the tasks in Before Installing or Onboarding an ASA FirePOWER Module.
Perform these four tasks to install an ASA FirePOWER Module on an ASA:
- Load the FirePOWER Module on the ASA
- Configure the ASA FirePOWER Module Boot Image
- Configure the FirePOWER Module
- Direct Traffic to the FirePOWER Module
Load the ASA FirePOWER Module on the ASA
The ASA FirePOWER module uses "sfr" as its module name in the CLI and in the naming convention of its images. Complete these steps in order to load the ASA FirePOWER module on the ASA:
- Download the ASA FirePOWER module system software from Cisco.com to an HTTP, HTTPS, or FTP server that is accessible from the ASA FirePOWER module management interface. The file name on Cisco's software download page will look similar to this:
- Download the boot image from Cisco.com to the ASA. You can use either the Cisco Adaptive Security Device Manager (ASDM) or the ASA CLI in order to download the boot image to the device.
Note: Do not transfer the system software to the ASA at this point; it is downloaded later to the Solid State Drive (SSD).
Complete these steps in order to download the boot image via the ASDM:
- Download the boot image from Cisco.com to your workstation or place it on an FTP, TFTP, HTTP, HTTPS, Server Message Block (SMB), or Secure Copy (SCP) server.
- Connect to the ASA using ASDM and select Tools > File Management.
- Choose the appropriate File Transfer command, either Between Local PC and Flash or Between Remote Server and Flash.
- Transfer the boot software to the flash drive (disk0) on the ASA.
Complete these steps in order to download the boot image via the ASA CLI:
- Download the boot image on an FTP, TFTP, HTTP, or HTTPS server.
- Promote your session to user EXEC mode, enter the copy command into the CLI in order to download the boot image to the flash drive.
Here is an example that uses HTTP protocol (replace the <HTTP_Server> with your server IP address or host name):
ciscoasa# copy http://<HTTP_SERVER>/asasfr-5500x-boot-6.2.0-362.img disk0:/asasfr-5500x-boot-6.2.0-362.img
- Enter this command in order to configure the ASA SFR boot image location in the ASA flash drive:
ciscoasa# sw-module module sfr recover configure image disk0:/file_pathHere is an example:
ciscoasa# sw-module module sfr recover configure image disk0: /asasfr-5500x-boot-6.2.0-362.img
- Enter this command in order to load the ASA SFR boot image:
ciscoasa# sw-module module sfr recover boot
- Wait approximately 5 to 15 minutes for the ASA SFR module to boot up, and then open a console session to the operational ASA SFR boot image.
Configure the ASA FirePOWER Module Boot Image
Complete these steps in order to set up the the newly installed ASA FirePOWER Module boot image.
- From the ASA CLI, open a console session to the FirePOWER module (sfr module). Press Enter after you open a session in order to reach the login prompt.
Note: The default username is admin, and the default password is Admin123.
Here is an example:
ciscoasa# session sfr console Opening console session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. Cisco ASA SFR Boot Image 6.2.0-362 asasfr login: admin Password: Admin123
Tip: If the ASA FirePOWER module (sfr) boot has not completed, the session command fails and a message appears to indicate that the system is unable to connect over TTYS1. If this occurs, wait for the module boot to complete and try again.
- In the ASA FirePOWER console, enter the setup command in order to configure the system so that you can install the system software package:
asasfr-boot> setup Welcome to SFR Setup [hit Ctrl-C to abort] Default values are inside 
The setup procedure will prompt you for this information:
- Host name - The host name can be up to 65 alphanumeric characters, with no spaces. The use of hyphens is allowed.
- Network address - The network address can be either static IPv4 or IPv6 addresses. You can also use DHCP for IPv4, or IPv6 stateless auto-configuration.
- DNS information - You must identify at least one Domain Name System (DNS) server, and you can also set the domain name and search domain.
- NTP information - You can enable Network Time Protocol (NTP) and configure the NTP servers in order to set the system time.
- Enter the system install command in order to install the system software image. Include the noconfirm option if you do not want to respond to confirmation messages.
asasfr-boot >system install [noconfirm] url
Replace the url keyword with the location of the .pkg file. Here is an example:
asasfr-boot >system install http://<HTTP_SERVER>/asasfr-sys-6.2.0-362.pkg Verifying Downloading Extracting Package Detail Description: Cisco ASA-FirePOWER 6.2.0-362 System Install Requires reboot: Yes
Configure the ASA FirePOWER Module
- From the ASA CLI, open a console session in the ASA FirePOWER module (sfr module).
Note: A different login prompt now appears because the login occurs on a fully-functional module.
Here is an example:
ciscoasa# session sfr Opening command session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. Sourcefire ASA5555 v6.2.0 (build 362) Sourcefire3D login:
- Log in with the username admin and the password Admin123.
- Complete the system configuration as prompted, which occurs in this order:
- Read and accept the End User License Agreement (EULA).
- Change the admin password.
- Configure the management address and DNS settings, as prompted.
Note: You can configure both IPv4 and IPv6 management addresses.
Here is an example:
System initialization in progress. Please stand by. You must change the password for 'admin' to continue. Enter new password: <new password> Confirm new password: <repeat password> You must configure the network to continue. You must configure at least one of IPv4 or IPv6. Do you want to configure IPv4? (y/n) [y]: y Do you want to configure IPv6? (y/n) [n]: Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: Enter an IPv4 address for the management interface [192.168.45.45]:198.51.100.3 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0 Enter the IPv4 default gateway for the management interface : 198.51.100.1 Enter a fully qualified hostname for this system [Sourcefire3D]: asasfr.example.com Enter a comma-separated list of DNS servers or 'none' : 198.51.100.15, 198.51.100.14 Enter a comma-separated list of search domains or 'none' [example.net]: example.com If your networking information has changed, you will need to reconnect. For HTTP Proxy configuration, run 'configure network http-proxy'
- Wait for the system to reconfigure itself. You will know this has succeeded because when you log into ASDM, you will see several FirePOWER module tabs on the Home page.
Direct Traffic to the ASA FirePOWER Module
In order to direct network traffic to the ASA FirePOWER module, you must create a service policy that identifies specific traffic. Complete these steps in order to redirect traffic to an ASA FirePOWER module:
- In ASDM, Choose Configuration > Firewall > Service Policy Rules.
- Choose Add > Add Service Policy Rule.
- Choose whether to apply the policy to a particular interface or apply it globally and click Next.
- Configure the traffic match. For example, you could match Any Traffic so that all traffic that passes your inbound access rules is redirected to the module. Or, you could define stricter criteria based on ports, ACL (source and destination criteria), or an existing traffic class. The other options are less useful for this policy. After you complete the traffic class definition, click Next.
- On the Rule Actions page, click the ASA FirePOWER Inspection tab.
- Check the Enable ASA FirePOWER for this traffic flow check box.
- In the If ASA FirePOWER Card Fails area, click one of the following:
- Permit traffic —Sets the ASA to allow all traffic through, uninspected, if the module is unavailable.
- Close traffic —Sets the ASA to block all traffic if the module is unavailable.
By default, the traffic is sent in inline mode. In an inline deployment, after the undesired traffic is dropped and any other actions that are applied by policy are performed, the traffic is returned to the ASA for further processing and ultimate transmission.
- (Optional) Check Enable Monitor-only to send a read-only copy of traffic to the module.
In Monitor-only mode, a copy of the traffic is sent to the SFR service module but it is not returned to the ASA. Passive mode allows you to view the actions that the SFR module would have completed in regards to the traffic. It also allows you to evaluate the content of the traffic without an impact to the network.
Note: Be sure to configure consistent policies on the ASA and the ASA FirePOWER. Both policies should reflect the inline or monitor-only mode of the traffic.
- Click Finish, then Apply, and then Send if you are ready to write your changes to the running configuration.
- (Optional) Click File > Save Running Configuration to Flash if you are ready to write your changes to memory.
Repeat this procedure to configure additional traffic flows as desired.